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SECRET//SI//REL 1 


Discovery and description of bugs by Flash. 

/usr/libexec/sandboxd or not... 

I was hopeful to be able to get persistence by trigger the parsing of a custom sandbox profile by either modifying one of 
the framework.sb files on disk (see below for a list) or by trying to launch a binary with a non-default seatbelt profile. 
Unfortunately, it looks like in iOS 9.0 sandboxd is no longer present although the kernel still checks to see if it is present 
and will run it if it is. All of the profiles are pre-compiled in the kernel unless a call to sandboxjnit is made. In previous 
iOS versions the kernel would query sandboxd for specific seatbelt names, sandboxd would then check 
"/usr/local/share/sandbox/%s.sb" for a tiny scheme profile, compile it if its present and return it, otherwise it would check 
it's precompiled list and return one of those. 


Potential for sandboxd 

I believe sandboxd could be used as either a sandbox escape or a persistence method. There are a few bugs in the tiny 
scheme parser, which could be used to gain execution in the parsing process. Persistence would be achieved by 
triggering a sandbox parse at boot. A sandbox escape would probably be triggered by talking to sandboxd and getting it 
to parse the sandbox (I haven't verified this is possible) or triggering in the same manner as persistence) 

Tiny Scheme Parser 

Apple seems to have taken version 1 .38 of the Tiny Scheme project (available online, google it or check workshop 
output) and modified it a little. Most modifications are fixes for the most obvious bugs in the program: changing sprintf to 
snprintf and adding some more size checks but they have not fixed everything. In fact, they haven't even bothered 
keeping up with the Tiny Scheme project, which is now on version 1 .41 . Apple have also added a couple of new 
members and changed some sizes in the struct scheme. These are fairly trivial to reverse but comparing each function in 
a disassembler with the Tiny Scheme source version. 

Apple uses Tiny Scheme to create a vector of sandbox rules that it then converts to a compiled sandbox profile. I haven't 
analysed this as much but it may well also contain errors. It this intermediate layer that aids in reversing compiled 
sandbox profiles. The compiled profile is then given to the kernel to handle. 

Crashes and Bugs: 

I've found a few memory corruption bugs and a handful of type confusion bugs but no memory leaks.. .yet. For the most 
part, this renders these corruption bugs useless but the type confusion is still usable. There is possibility of garbage 
collection bugs but I didn't see any. It also looks like there a bunch of integer overflow bugs but triggering them may be 
hard/impossible because the maximum accepted integer by the parser is MAX_SIGNED_INT. 


Use of a preallocated fixed buffer when malloc fails in store string 0 

(version l) 

(define z (make-string 2147483647)) 

| (define y (make-string 2147483647)) 

2. Some version of this causes a corruption 

I (version 1) 

(define z (make-string 2147483647)) # Take up a lot of memory to speed up the next part 
(define y (string-append "string of 1024 bytes" "string that write of end of buffer")) 

(define yi (string-append "string of 1024 bytes" "string that write of end of buffer")) 

(define y2 (string -append "string of 1024 bytes" "string that write of end of buffer")) 

# ... Eventually, this there will be no mo memory left for the allocation ofyn and strbuffwill be 
used instead. 

When malloc fails in store_string() it sets a no_memory flag and returns a preallocated fixed length buffer, strbuff. At the 
end of evaluation of the current tiny scheme command, no_memory flag is checked and the process is ended. However, 
we still have the remainder of the current command to make use of this, make-string can be used to allocate a lot of 
memory quickly, string-append iterates through the list of strings, adding up the lengths then tries to allocate a buffer to 
hold them all. When that fails it uses strbuf(a char[1024], which is part of struct scheme) Script 2 above, will first fill up 
the first 1 024 bytes, any remaining strings/bytes will write off the end of the buffer. There are some members of the struct 
scheme that we can corrupt but nothing useful. 

Type Confusion in Let Statements 

(version 1) 

(define (confused a) 

(let* 
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(define x (confused 2)) # Trigger the bug 
(error x) # Set the error to be printed out 


; of 0x41414141 via type confusion 


None of the let statements check the input parameters to the call. They all assume a variant on a list of arguments or a 
list of list of arguments. All types of arguments are represented as a Cell, which is a structure containing a type member 
and union structure of data. LET calls should check the type member before selecting the _cons (list type) member of the 
union and using that to get the elements. This allows us to use other types to be used as lists. This causes call such as 
cadd.-. ), which should get the tail of the list at the head of the list of arguments ( [b2,b3,...] in the following [ [a1,a2, a3,...], 
[b1,b2, b3, ...], ...] ), to dereference the string value pointer of a string cell and then dereference the 8th to 12th bytes a 
pointer. This is what happens in the above script. Its a bit confusing. This can probably be used in two ways: either by 
finding a type confusion that allows us to create a cell that uses the contents of the string a the cell structs contents; or by 
doing some heap set up to borrow a valid pointer from another structure in memory by using something similar to 
"xxxxxxxXO" which, when used in the above script will cause the pointer to be read from the memory after the string 
buffer. Aligning memory to be ["\0" I cell struct ] might give us all the control we need to create malleable types. 

Let operations: OP_LET1 , OP_LET2, OP_LETOAST, OP_LET1 REC 


Notes 

• Apple is using TinySCHEME vl .38 with some custom modifications 

• TinyScheme vl .38 is compiled into libsandbox.1 .dylib 

• libsystem_sandbox.dylib dlopen()'s libsandbox.1 .dylib 

• it dlsymO's the following exported functions: 

• sandbox_wake_daemon 

• sandbox_create_params 

• sandbox_set_param 

• sandbox_free_params 

• sandbox_compile_named 

• sandbox_apply 

• sandbox_compile_file 

• sandbox_apply 

• sandbox_free_profile 

• sandboxd uses libsandbox.1 "sandbox_" functions 

• only 1 spot where it uses sandbox_compile_file 


Files 

• TinyScheme init files: 

• iOS init.scm is compiled into libsandbox.1 .dylib 

[_Qinit.scm.ios.txt O 


(^p init.scm.default.txt O 


[ [j sandbox_profile.ios.txt O 

• TinyScheme init differences: 

• IOS: 

• ;; These use an internal strcmp. 

(define (string=? a b) (= (internai-strcmp a b #f) 0)) 
(define (string<? a b) (< (internai-strcmp a b #f) 0)) 
(define (string>? a b) (> (internai-strcmp a b #f) 0)) 
(define (string<=? a b) (<= (internai-strcmp a b #f) 0)) 
(define (string>=? a b) (>= (internai-strcmp a b #f) 0)) 

(define (string-ci=? a b) (= (internai-strcmp a b #t) 0)) 
(define (string-ci<? a b) (< (internai-strcmp a b #t) 0)) 
(define (string-ci>? a b) (> (internai-strcmp a b #t) 0)) 
(define (string-ci<=? a b) (<= (internai-strcmp a b #t) 0)) 
(define (string-ci>=? a b) (>= (internai-strcmp a b #t) 0)) 


• Stock (vl .38): 

• ; Note the trick of returning (cmp x y) 

(define (string-cmp? chomp cmp a b) 

(let ((na (string-length a)) (nb (string-length b))) 

(let loop ((i 0)) 

(cond 
((= i na) 

(if (= i nb) (cmp 0 0) (cmp 0 1 ))) 

((= i nb) 

(cmp 1 0)) 

((chcmp = (string-ref a i) (string-ref b i)) 

(loop (succ i))) 

(chcmp cmp (string-ref a i) (string-ref b i))))))) 

(define (string=? a b) (string-cmp? char-cmp? = a b)) 

(define (string<? a b) (string-cmp? char-cmp? < a b)) 

(define (string>? a b) (string-cmp? char-cmp? > a b)) 

(define (string<=? a b) (string-cmp? char-cmp? <= a b)) 
(define (string>=? a b) (string-cmp? char-cmp? >= a b)) 


(define (string-ci=? a b) (string-cmp? char-ci-cmp? = a b)) 
(define (string-ci<? a b) (string-cmp? char-ci-cmp? < a b)) 
(define (string-ci>? a b) (string-cmp? char-ci-cmp? > a b)) 
(define (string-ci<=? a b) (string-cmp? char-ci-cmp? <= a b)) 
(define (string-ci>=? a b) (string-cmp? char-ci-cmp? >= a b)) 

• TinyScheme init additions: 

• iOS: 

• (define (take I n) 

(if (= n 0) 

'() 

(cons (car I) (take (cdr I) (- n 1))))) 

(define (drop I n) 

(if (= n 0) 

(drop (cdr I) (- n 1)))) 


File System 

• Dumped filsystem of: iPhone 5C v8.3 1 2F70 

• I never worked out why all these files were present. Each framework.sb is different but none of them are 
used. They are probably just remnants from OSX or used maybe as a reference. It is worth keeping an eye 
on, if they ever get used then our technique may be available again. 

• ./System/Library/Frameworks/Accounts.framework/framework.sb 

• ./System/Library/Frameworks/CloudKit.framework/framework.sb 

• ./System/Library/PrivateFrameworks/CommunicationsFilter.framework/framew 

• ./System/Library/PrivateFrameworks/CoreSuggestions.framework/framework.s 

• ./System/Library/PrivateFrameworks/DiagnosticLogCollection.framework/frame 


./System/Li brary/PrivateFrameworks/FamilyCircle.framework/framework.sb 
./System/Library/PrivateFrameworks/FamilyNotification.framework/framework.s 

./System/Li brary/PrivateFrameworks/HSAAuthentication.framework/framework. 


./System/Li brary/PrivateFrameworks/IDS.framework/framework.sb 
./System/Li brary/PrivateFrameworks/IMAVCore.framework/framework.sb 
./System/Library/P rivateFrameworks/lMCore.framework/framework.sb 
./System/Li brary/PrivateFrameworks/lMDMessa 


./System/Library/P rivateFrameworks/lMDPersistence.framework/framework.sb 
./System/Li brary/PrivateFrameworks/IMFoundation.framework/framework.sb 
./System/Library/PrivateFrameworks/IMTranscoding.framework/framework.sb 
./System/Library/PrivateFrameworks/IMTransferServices.framework/framework 

./System/Library/PrivateFrameworks/Marco.framework/framework.sb 
./System/Library/P rivateFrameworks/WebUl.framework/XPCServices/com.appI 
e.Safari.SocialHelper.xpc/com.apple.Safari.SocialHelper.sb 
./System/Library/P rivateFrameworks/WebUl.framework/XPCServices/com.appI 


e.Safari.WebFeedParser.xpc/com.apple.Safari.WebFeedParser.sb 
Files containing reference to ".sb": 

• System/Library/Frameworks/Accounts.framework/_CodeSignature/CodeResou 
rces: <key>framework.sb</key> 

• System/Library/Frameworks/CloudKit.framework/_CodeSignature/CodeResour 
ces: <key>framework.sb</key> 

• System/Library/Frameworks/SystemConfiguration.framework/get-mobility-info: 
${PRIV} cat A/ar/run/com.apple.discoveryd-trace.sb > com.apple.discoveryd- 
trace.sb 2>/dev/null 

• System/Library/PrivateFrameworks/CommunicationsFilter.framework/_CodeSi 
gnature/CodeResources: <key>framework.sb</key> 

• System/Library/PrivateFrameworks/CoreSuggestions.framework/_CodeSignatu 
re/CodeResources: <key>framework.sb</key> 

• System/Library/PrivateFrameworks/DiagnosticLogCollection.framework/_Code 
Signature/CodeResources: <key>framework.sb</key> 

• System/Library/PrivateFrameworks/FamilyCircle.framework/_CodeSignature/C 
odeResources: <key>framework.sb</key> 

• System/Library/PrivateFrameworks/FamilyNotification.framework/_CodeSignat 
ure/CodeResources: <key>framework.sb</key> 

• System/Library/PrivateFrameworks/HSAAuthentication.framework/_CodeSigna 
ture/CodeResources: <key>framework.sb</key> 

• System/Library/PrivateFrameworks/iDS.framework/_CodeSignature/CodeReso 
urces: <key>framework.sb</key> 

• System/Library/PrivateFrameworks/IMAVCore.framework/_CodeSignature/Cod 
eResources: <key>framework.sb</key> 

• System/Library/PrivateFrameworks/IMCore.framework/_CodeSignature/CodeR 
esources: <key>framework.sb</key> 

• System/Library/PrivateFrameworks/iMDMessageServices.framework/_CodeSi 
gnature/CodeResources: <key>framework.sb</key> 

• System/Library/PrivateFrameworks/IMDPersistence.framework/_CodeSignatur 
e/CodeResources: <key>framework.sb</key> 

• System/Library/PrivateFrameworks/IMFoundation.framework/_CodeSignature/ 
CodeResources: <key>framework.sb</key> 

• System/Library/PrivateFrameworks/IMTranscoding.framework/_CodeSignature 
/CodeResources: <key>framework.sb</key> 

• System/Library/PrivateFrameworks/IMTransferServices.framework/_CodeSign 
ature/CodeResources: <key>framework.sb</key> 

• System/Library/PrivateFrameworks/Marco.framework/_CodeSignature/CodeRe 
sources: <key>framework.sb</key> 

• System/Library/PrivateFrameworks/WebUl.framework/XPCServices/com.apple 
.Safari.SocialHelper.xpc/_CodeSignature/CodeResources: 

<key>com.apple. Safari. SocialHelper.sb</key> 

• System/Library/PrivateFrameworks/WebUl.framework/XPCServices/com.apple 
.Safari. SocialHelper.xpc/com.apple. Safari. SocialHelper.sb:(import "system.sb") 

• System/Library/PrivateFrameworks/WebUl.framework/XPCServices/com.apple 
.Safari.WebFeedParser.xpc/_CodeSignature/CodeResources: 
<key>com.apple.Safari.WebFeedParser.sb</key> 

• System/Library/PrivateFrameworks/WebUl.framework/XPCServices/com.apple 
.Safari.WebFeedParser.xpc/com.apple.Safari.WebFeedParser.sb:(import 

• private/var/mobile/Containers/Bundle/Application/0A7DD749-F1C0-4E3D- 
9D1C-B20C84B7F93C/stable.app/gm-config/ANY/GIPTLDsList.plist: 
<string>com.sb</string> 

• var/mobile/Containers/Bundle/Application/0A7DD749-F1 C0-4E3D-9D1 C- 
B20C84B7F93C/stable.app/gm-config/ANY/GIPTLDsList.plist: 
<string>com.sb</string> 


